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(57) Abstract 

A smartcard securely stores confidential data, 
security is promoted by also storing within the 
smartcard memory a PIN token generated from 
biometric data provided by the cardholder. The 
biometric data may be any or all of a signature, a 
fingerprint, a voiceprint, and a video image, made 
by the cardholder, signal processed and stored 
securely in memory within the smartcard. When 
the smartcard is used in a transaction, access to 
the stored confidential data (250) is not allowed 
until the person presenting the card first recreates a 
biometric (200) substantially equivalent to what is 
represented by the memory-stored biometric PIN 
token (230). 
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USER BIOMETRIC-SECURED SMARTCARD HOLDING DATA 
FOR MULTIPLE CREDIT CARDS 

10 

RELATIONSHIP TO PENDING PATENT APPLICATIONS 
U.S. patent application 08/853,955 entitled "Modular 
Signature and Data Capture System and Point of Transac- 
tion Payment and Reward System", filed 9 May 1997 and 
15 assigned to the present assignee, discloses a flexible 
point of sale transaction terminal that may be used to 
practice the present invention. 

FIELD OF THE INVENTION 
2 0 This invention relates to systems and methods for secur- 
ing confidential information, and more specifically to 
systems and methods to permit use of a smart card to re- 
tain confidential data for multiple credit cards with 
security provided by at least one biometric provided by 

2 5 the smart card owner. 

BACKGROUND OF THE INVENTION 
Credit cards and debit cards have found increasingly wide 
use in commercial transactions. A financial institution 
30 issues a card to a qualified user who uses the card to 

pay for merchandise and/or services during a transaction . 
As shown in Fig, lA, for a credit or debit card 10, a 
magnetic stripe 20 on one surface of the card carries two 
or more tracks 30 of magnetically encoded data 40. The 

3 5 data identifies the card issuer and card account number. 

For a debit card, the card is issued with bank account 
identification data for the card owner. In use, the 
magnetically stored data is read and points to the user's 
account, from which it is determined whether the present 
40 transaction amount can be covered- Typically, cards that 
store data magnetically can at present only store about 
2 00 bytes per card. 
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Fig. IB shows a smartcard 50, which includes solid state 
memory 60 storing user data 70. Whereas magnetic storage 
on credit or debit cards is presently limited to perhaps 
200 byes of data, memory 60 in smartcard 50 can store 
5 substantially more data. For example, data 70 may in- 
clude any or all of bank account numbers, medical data, 
client names and telephone numbers, among other data. 

Some individuals carry and use many different cards. 
10 Unfortunately carrying a few cards in one's wallet can 

render the wallet extremely bulky. Thus, there is a need 
for a method by which the bulk associated with carrying a 
plurality of cards can be substantially reduced. 

15 Understandably the data stored in credit, debit, or 

smartcards (collectively "cards") must be maintained in a 
confidential manner, to prevent unauthorized charges 
against the subject account. One technique used to pro- 
mote confidentiality of data stored in cards is to pro- 

20 vide the card owner with a personal identification number 
("PIN"), or password. When the card is being used during 
a transaction, the card user must manually enter the PIN 
on whatever device is used to read data from the card. 
If the card- stored PIN data agrees with what is now manu- 

25 ally entered, the transaction can proceed, otherwise it 
will not proceed. 

Unfortunately, card owners often forget their PIN. Other 
card owners may pick a PIN that is too easily compromised 

3 0 by a third party who somehow obtains the card, for exam- 
ple, a PIN that is simply the initials of the card owner. 
Thus, there is a need for a methodology that allows a 
card owner to reliably provide the correct PIN without 
memorization, which PIN cannot readily be compromised by 

35 third parties. 

Further, there is a need for a system or method by which 
the equivalent of a plurality of cards can be implemented 
without undue bulk, while protecting data stored therein 
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with a PIN that need not be memorized and that cannot 
readily be compromised. 

The present invention provides such a system and method. 

5 

SUMMARY OF THE PRESENT INVENTION 
The present invention provides a single omnibus smartcard 
that can store data otherwise contained in at least two 
magnetically stored cards and/or at least one other 
10 smartcard- By storing multiple sources of data within a 
single smartcard, the bulk otherwise needed to store a 
plurality of cards is reduced. 

To preserve confidentiality of data stored in the single 
15 omnibus smartcard, data representing a characteristic of 
the card owner is reduced to a token number that is also 
stored in the smartcard. This token number then repre- 
sents the user*s PIN. As such, there is no PIN that must 
be remembered by the user. The user characteristic pref- 
20 erably is a signature, but may be the user's fingerprint 
or voiceprint . 

In the preferred embodiment, whenever the omnibus 
smartcard is used, the user provides a signature on a , 

25 vendor's signature capture device. The capture device 
generates a token value from the signature. This real- 
time token value is compared with the true token value 
stored within the omnibus smartcard. If the two token 
values agree, the transaction can proceed. If they do 

30 not agree, the card user can be asked to provide a second 
signature to the vendor to re -check the token match. If 
there is no match, the transaction should not proceed. 
If the stored user characteristic is a fingerprint, when 
the smartcard is used the card user will provide a fin- 

3 5 gerprint to a fingerprint capture device that will gener- 
ate a token value therefrom. If the stored user 
characteristic is a voiceprint, e.g., the user saying the 
user's name, when the smartcard is used, the card user 
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will enunciate the name into a voice capture device that 
will generate a token value therefrom. 

In this fashion, data otherwise stored within a plurality 
of cards is storable within a single omnibus smartcard, 
with PIN- level security that does not require memoriza- 
tion of a PIN value, and that cannot readily be comprised 
-by dishonest third persons. 

Other features and advantages of the invention will ap- 
pear from the following description in which the pre- 
ferred embodiments have been set forth in detail, in 
conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
FIG, lA and FIG. IB depict credit /debit and smartcards, 
respectively, according to the prior art; 

FIG. 2 depicts an omnibus smartcard with enhanced PIN 
securit^^, according to the present invention; 

FIG. 3A depicts use of an omnibus smartcard according to 
a preferred embodiment of the present invention during a 
transaction; and 

FIG. 3B depicts use of an omnibus smartcard according to 
alternative embodiments of the present invention during a 
transaction; and 

FIG. 4 is a flowchart depicting steps carried out during 
a transaction using an omnibus smartcard, according to 
the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 
Fig. 2 depicts an omnibus smartcard 80 with enhanced PIN 
security, according to the present invention. By "omni- 
bus" it is meant that smartcard 80 stores data that ordi- 
narily would be stored in at least two separate cards 
(credit card, debit card, or smartcard) according to the 
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prior art. Smartcard 80 has an internal memory 90 that 
is shown storing data 4 0 (which may be identical to data 
4 0 stored on a prior art credit card or debit card 10 as 
shown in Fig. lA) , data 40-1 (which may otherwise have 
5 been stored on another prior art credit or debit card 

such as card 10) , data 70 (which may be identical to data 
70 stored in a prior art smartcard 50 as shown in Fig. 
IB) , as well as data 70-1 (which might otherwise have 
been stored on another prior art smartcard such as card 

10 50) . For purposes of the present invention, it will be 
assumed that smartcard 80 stores at least 2 Kbytes of 
data, e.g., preferably more data than could be stored on 
a single prior art credit or debit card with magnetic 
data storage. Modern memory 90 can today store 8 Kbyte 

15 to 16 Kbyte, and future smartcard memory 90 will probably 
store at least 32 Kbyte. Regardless of its storage ca- 
pacity, physically memory 90 is encapsulated within the 
body of card 8 0 per se. 

20 Although Fig. 2 depicts omnibus smartcard 80 as storing 
data that would otherwise be stored in two credit/debit 
cards and two smartcards (e.g., a total of- four cards), 
it is understood that the contents stored in memory 90 
may include more or less than what would be stored in 

25 four prior art cards. Further, there is no need that 

memory 90 store data otherwise stored magnetically and in 
solid state, or that there be a 50%: 50% proportion be- 
tween the nature of what is stored in memory 90 in omni- 
bus smartcard 80 . 

30 

Note that omnibus smartcard memory 90 also stores card- 
holder characteristic data 100. According to the present 
invention, data 100 is a PIN value that must be re-gener- 
ated at the time and place of a transaction involving 
35 omnibus smartcard 80. Rather than store a combination of 
numbers that the cardholder wishes (and must of course 
remember) , data 100 is a digital token number that has 
been generated from a biometric or characteristic of the 
cardholder. 
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In the preferred embodiment the biometric will be the 
cardholder's signature, fingerprint, and/or voiceprint. 
Other potentially useful biometrics can include a scan of 
the retina of the cardholder, as well as a scan of the 
5 face of the cardholder. 

When the cardholder first obtains an omnibus smartcard 
80, the cardholder will provide the card" issuer with a 
true exemplar of his or her biometric. Assume that the 

10 card will be issued by a local bank. The cardholder will 
go to the bank and provide a signature and/or a finger- 
print and/or a voiceprint (e.g., enunciating the 
cardholder's name or some other word(s) that will be 
remembered) . However, it is within the scope of the 

15 present invention that the biometric may include a reti- 
nal scan as well as a scan of the cardholder's face. 

Using a signature biometric, note that as the cardholder 
writes the signature, the signature capture device cap- 
20 tures relative amount of force used to write different 

portions of the signature, as well as relative time spent 
writing different portions of the signature. Such data 
is richer in biometric content than if a photocopy of 
signature were merely scanned electronically to generate 

2 5 a token. 

The card issuer will electronically scan or otherwise 
process the cardholder-biometric exemplar to represent 
that data as a unique token number. Techniques for re- 

3 0 ducing a signature, or a portion of a fingerprint, or a 

voiceprint to a digital token representation are known in 
the art and need not be described in detail here. Suf- 
fice to say that for each instance of the same user's 
signature, fingerprint, or voiceprint, a token value may 
3 5 be generated. Although there may be some variations 

between signatures or voiceprints made by the same user 
at different times, the algorithm used to generate the 
signature or voiceprint token number will look at the 
common features, and will generate essentially the same 
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value each time. It is this signature, fingerprint, 
voiceprint (or indeed other reproducible cardholder 
biometric) token value that is stored as data 100 within 
onmibus smartcard 80, for use as a PIN during transac- 
5 tions made with the card. 

It will be appreciated that one advantage of a signature, 
fingerprint, or voiceprint PIN token is that the card- 
holder need not memorize any number. All the cardholder 

10 must remember is to write his or her signature essential- 
ly the same way each time, or speak essentially the same 
each time, something most people do automatically. (In 
the case of a cardholder biometric that is a fingerprint, 
reproducibility of the fingerprint is essentially assured 

15 time after time.) 

Because there is no PIN value for the cardholder to memo- 
rize (indeed the cardholder need never know his/her 
stored biometric PIN token) , the PIN is not readily com- 

2 0 promised. As will be seen, the only way a dishonest 

third party coming into possession of omnibus smartcard 
80 can re-generate the relevant signature PIN value 100 
is to perfectly forge the cardholder's signature or imi- 
tate the voice during the time of a transaction or some- 
25 how have a finger that will reproduce the cardholder's 
fingerprint . 

Assume that the cardholder (or indeed a third party com- 
ing into possession of omnibus smartcard 80) wishes to 

3 0 make a transaction using the card. Referring to Fig. 3A, 

at the time and place of the transaction, the person 
presenting the smartcard will be asked to make a signa- 
ture 110 using a stylus 120 upon the screen surface 13 0 
of a signature capture device 14 0. An exemplary such 
35 signature capture device is the PenWare 3000, available 
from Mobilnetics Systems, Inc. of Delaware. Of course 
other such devices may instead be used. 
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Internal to or associated with device 140 will be elec- 
tronics 150. Electronics 150 captures and signal pro- 
cesses the signature data from screen 130. Electronics 
150 also executes an algorithm to represent the just- 
5 captured signature data as a real-time signature PIN 

token. Preferably the algorithm executed by or associat- 
ed within device 140 will be similar to what was used to 
generate a signature PIN token such as is stored as data 
100 within an omnibus smart card, according to the present 
10 invention. 



Before or after signature 110 is made during the transac- 
tion, the person intending to use smartcard 80 will caus- 
es the relevant portions of memory 90 to be read, e.g., 
15 * preferably by device 140 or an equivalent device. Among 
the data to be read will be the actual signature PIN 
token data 100 that is known to represent the actual 
signature of the true owner of smartcard 80. 

2 0 Electronics 150, which can be disposed within a host 

system 16 0 coupled to system 14 0 via a communications 
port 165, will now compare the genuine signature PIN 
token data 100 (read from card 80) with the just-generat- 
ed signature PIN token data. If these two data are in 
25 substantial agreement, the subject transaction will go 

forward. Thus, relevant account data 40, or 40-1, or 70, 
or 70-1 will be read from memory 90 in smartcard 80, 
e.g., using device 140 (or the equivalent). The data 
read can be processed by remote host system 160 to make 

3 0 the transaction. In a commercial environment, device 14 0 

will typically be at the cash register of a merchant's 
store, whereas system 160 may be the store's LAN computer 
system, or may be a remote databank- type system sub- 
scribed to by the merchant. 

35 

If, however, there is substantial disagreement between 
genuine signature PIN token data 100 and the just -gener- 
ated signature PIN token data, further inquiry must be 
made. As noted, there is some signature-to-signature 
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deviation and the algorithm (s) used to examine the trans- 
action can take such deviation into account. For example 
if the deviation appears to be just slightly out of the 
normal range of acceptance, electronics 150 can advise 
5 the merchant (e,g., through a message appearing on screen 
130, or by audible beeps, etc.) to have the user re-sign 
his or her name on screen 130 for further analysis. 

In some instances it may be desired to have the user 
10 produce a driver's license or other signature-bearing 

identification. If desired, system 140 could be augment- 
ed to permit document scanning of a signature, e.g., from 
the user's driver's license, for electronic comparison 
against the just -generated signature and/or against the 
15 true signature PIN token data 100. If desired, the docu- 
ment-scanned signature could be used to generate a third 
token value for comparison with genuine PIN token data 
100 . 

20 Fig. 3B depicts the user of stored data 100 that repre- 
sents a cardholder biometric that is a fingerprint, a 
voiceprint, a scan of the retinal portion of the 
cardholder's eye, and/or a scan of at least a portion of 
the cardholder's face. At the time and place of a trans- 

25 action, the person presenting the smartcard will be asked 
to provide a fingerprint 170 upon a capture screen 175, 
and/or a voiceprint (shown as sound waves 18 0 emitted by 
the person 18 5 presenting the smartcard) detected by a 
microphone or the like 190 associated with an appropriate 

30 device 140'. For a retinal or face biometric, a TV cam- 
era or the like and associated electronics 195 will cap- 
ture an image of the retina or face of the person 185 
presenting the card. In a manner known in the art, the 
retinal scan or facial scan will be signal processed and 

3 5 reduced to an electronic token value. (In these embodi- 
ments, the cardholder would have presented himself or 
herself to the institution providing the smartcard, at 
which time the relevant biometric would have been cap- 
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tured, signal processed, and stored as compressed data 
100 within memory 90 in smartcard 80. 

Device 140' may be similar to device 140, except that it 
5 will now be augmented to capture fingerprints and/or 

soundwaves and/or video images for signal processing and 
reduction to a PIN token value - 

Assume that electronics 150 captures and signal processes 
10 the fingerprint, voiceprint, or video (e.g., retinal scan 
or portion or all of a facial scan) data and also exe- 
cutes an algorithm to represent the just-captured data as 
a real-time fingerprint or voiceprint PIN token. Pref- 
erably the algorithm executed by or associated within 
15 device 140' will be similar to what was used to generate 
the fingerprint, voiceprint, or video PIN token such as 
is stored as data 100 within an omnibus smartcard, ac- 
cording to the present invention. 

20 Similarly to what was above -described with respect to 
Fig. 3A, during the transaction, relevant portions of 
memory 90 are read from the smartcard, preferably by 
device 14 0' or an equivalent device. Among the data read 
will be the actual fingerprint, voiceprint, video PIN 

2 5 token data 100 that is known to represent the actual 

fingerprint or voiceprint of the true owner of smartcard 
80 . 

As has been described, an electronic comparison is now 

3 0 made of the genuine fingerprint, voiceprint, video PIN 

token data 100 (read from card 80) with the just -generat- 
ed fingerprint or voiceprint PIN token data. If these 
two data are in substantial agreement, the subject trans- 
action will go forward, as was described. If, however, 
35 there is substantial disagreement between the genuine PIN 
token data 100 and the just -generated PIN token data, 
further inquiry will typically be made. 
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It will be appreciated that data 100 stored in memory 90 
within smartcard 80 is not limited to a single biometric 
per user. For example, signature and fingerprint tokens 
may be compressed and stored in a few hundred bytes of 
5 memory each. Depending upon the storage capacity of 

memory 90, it is possible that all of the above -described 
parametrics could be stored for each user, or perhaps 
just two or three parametrics per user. It will be ap- 
preciated that if more than one user is permitted to use 
10 the smartcard, one or more appropriate parametrics per 
user may be stored within the smartcard memory. 

Fig. 4' depicts the methodology practiced with the present 
invention. At step 200, the purported card owner must 

15 provide a real-time signature, fingerprint, voiceprint, 
or video image. As noted, this commonly would be done 
using an appropriate device such as shown in Fig. 3A or 
3B. Typically at a point of transaction, perhaps a cash 
register area, the person using the card will write a 

20 signature, or provide a fingerprint, speak into a micro- 
phone, and/or allow a video image of his/her face or 
perhaps eye retina to be made. 

At step 210, the just -generated biometric is scanned 
25 and/or signal processed electronically to generate real- 
time PIN token data. This real-time data will be the 
token-equivalent of the just -generated signature, finger- 
print, voiceprint, and/or video image. 

3 0 At method step 220, data 100 stored in smartcard 80 is 

read to access genuine PIN token data 100 stored within. 
At method step 230, a comparison is made, electronically, 
between the real-time PIN token data and the genuine 
signature, fingerprint, voiceprint, video image PIN token 

35 data read from the smartcard memory. This comparison, is 
preferably carried out by an algorithm executed by elec- 
tronics 150, such as shown in Fig. 3B . 
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Next the results of the comparison is examined at method 
step 240. If there is no substantial discrepancy, the 
person presenting the smartcard is the smartcard owner 
whose signature, fingerprint, voiceprint, video image (or 
other parametric) PIN token data is stored within the 
smartcard. Using the present example, the transaction 
may proceed, and at step 250, the relevant data stored in 
smartcard memory 100 may be read, e.g., with a smartcard 
reader (or equivalent) . 

But if step 240 indicates is a substantial discrepancy, 
e.g., by flashing a message on screen 130 in device 140 

(or an equivalent visual message on an equivalent 
device), or by audibly sounding a signal, the transaction 
should not automatically proceed without further investi- 
gation. As noted by the phantom line, it may be desired 
to have the person presenting the smartcard re-sign 
his/her name on the signature capture device, again pro- 
vide a fingerprint 170, again speak into microphone 190 

(being sure to enunciate the same words stored as a token 
in the smartcard) , and/or again be video scanned with 
device 195. For example, the person may have been ner- 
vous and wrote a somewhat abnormal signature the first 
time at step 200. If this new signature (or other re- 
peated biometric) now passes muster at step 24 0, the 
transaction may safely proceed. Otherwise, absent inde- 
pendent investigation of the bona fides of the person 
presenting the smartcard, the transaction should not pro- 
ceed. 

In short, it is seen that the present invention permits a 
single omnibus smartcard 80 to securely retain consider- 
able data that otherwise would be stored in a plurality 
of cards that collectively are rather bulky. The use of 
the present invention need not be limited to commercial 
transactions. Further, data stored within the omnibus 
smartcard need not of course be limited to credit card 
account numbers, but may include (without limitation) 
medical records, confidential telephone numbers that can 
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only be read upon presenting a genuine signature to a 
device 140. For example, a corporation might issues 
omnibus smartcards 80 to key employees, wherein memory 90 
stores confidential client data. Each smartcard 80 would 
5 also store genuine signature, fingerprint, voiceprint, 

video (and/or other biometric) PIN token data 100 for the 
card recipient. Thus, should the smartcard be lost or 
stolen, a third party could not gain access to the confi- 
dential data stored within. 

10 

To further promote confidentiality, it is understood that 
memory 90 may be fabricated so as to self-destruct in the 
event card 8 0 is broken into to gain physical access to 
memory 90. This may be accomplished by encrypting data 
15 stored in memory 90 with encryption keys maintained in 

memory 90, which keys are erased if the physical integri- 
ty of card 8 0 and/or memory 90 is violated. Techniques 
for protecting stored data in this fashion are known in 
the art and need not be further described herein. 

20 

It will also be appreciated that in some contexts, it may 
be desired that multiple users can share a -single smart- 
card 80. In such instance, data 100 will include sepa- 
rate PIN token data for each individual user (be it sig- 

25 nature, fingerprint, or both, PIN token data) . During 

the course of a transaction (or course of gaining access 
to confidential data stored in memory 90) , the relevant 
stored PIN token data 100 will be accessed, either be- 
cause it is identical to the just -generated data, or 

3 0 because the user may be asked to enter his or her ini- 
tials or employee number or the like as a pointer to the 
relevant stored PIN token data 100. 

Modifications and variations may be made to the disclosed 
3 5 embodiments without departing from the subject and spirit 
of the present invention. 
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WHAT IS CLAIMED IS: 

1. A method of securely storing confidential data 
relevant to a cardholder within a memory in a smartcard, 
comprising the following steps: 

5 (a) storing within said memory said confidential 

data ; 

(b) storing within said memory PIN token data 
unique to said cardholder, said PIN token data represent- 
ing a biometric created by said cardholder; and 
1° reading said confidential data from said memory 

only after a person presenting said smartcard provides a 
said biometric that upon signal processing, produces a 
PIN identical within a predetermined acceptance threshold 
to said PIN token data stored at step (b) . 

15 

2. The method of claim 1, wherein at step (b) said 
biometric is a genuine signature made by said cardholder, 
and step (c) includes said person writing a signature, 
when using said smartcard, that upon signal processing 
produces a signature PIN identical within said predeter- 
mined acceptance threshold to said PIN token data stored 
at step (b) . 

3. The method of claim 1, wherein at step (b) said 
25 biometric is a portion of a fingerprint made by said 

cardholder, and step (c) includes said person producing a 
fingerprint, when using said smartcard, that upon signal 
processing produces a fingerprint PIN identical within 
said predetermined acceptance threshold to said PIN token 
3 0 data stored at step (b) . 

4. The method of claim 1, wherein at step (b) said 
biometric is selected from a group consisting of (i) a 
voiceprint made by said cardholder, (ii) a video image of 

35 at least a portion of a retina of said cardholder, and 
(iii) a video image of at least a portion of said 
cardholder ' s face . 



20 
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5. The method of claim 1, wherein step (a) in- 
cludes storing said confidential data in said memory in 
an encrypted format readable only with at least one en- 
cryption key also stored in said memory, 

5 

6. The method of claim 5, further including stor- 
ing each said encryption key in said memory such that if 
physical integrity of said smartcard is violated, each 
said encryption key is erased; 

10 wherein said confidential data stored in said memory 

is protected. 

7. The method of claim 1, wherein said confiden- 
tial data stored in said memory includes at least one 

15 type of data selected from a group consisting of (i) 

financial account data, (ii) business record data, (iii) 
business contact data, and (iv) medical data. 

8. The method of claim 1, wherein: 

20 said smartcard may be used by two cardholders; 

at step (a) at least 4 KBytes of said confidential 
data is stored in said memory; and 

step (b) includes storing unique PIN token data for 
each of said cardholders . 

25 

9. The method of claim 8, wherein step (a) in- 
cludes storing confidential said data for use by each of 
said cardholders . 

30 

10. A smartcard that securely stores confidential 
data relevant to a cardholder within an internal memoary, 
comprising : 

memory having storage capacity for at least 4 KByte 
35 of confidential cardholder data whose confidentiality is 
to be preserved; 

said memory further storing PIN token data unique to 
said cardholder, said PIN token data representing a 
biometric created by said cardholder; 
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wherein when using said smartcard, access to said 
confidential data is gained only after a person present- 
ing said smartcard provides a said biometric that upon 
signal processing produces a PIN identical within a pre- 
determined acceptance threshold to said PIN token data 
stored in said memory. 

11. The smartcard of claim 10, wherein said memory- 
further stores at least one encryption key such that said 
confidential cardholder data is stored in said memory in 
s format encrypted with said encryption key. 

12. The smartcard of claim 11, further including 
means for deleting each said encryption key from said 
memory if physical integrity of said smartcard is violat- 
ed . 

13. The smartcard of claim 10, wherein said 
biometric is a genuine signature made by said cardholder, 
and wherein a person seeking to use said smartcard must 
first write a signature that upon signal processing pro- 
duces a signature PIN identical within said predetermined 
acceptance threshold to said PIN token data stored in 
said memory. 

14. The smartcard of claim 10, wherein: 

said biometric is selected from a group consisting 
of (i) a portion of a fingerprint made by said cardhold- 
er, (ii) a voiceprint made by said cardholder, (iii) a 
video image of at least a portion of a retina of said 
cardholder, and (iv) a video image of at least a portion 
of said cardholder's face; and 

a person seeking to use said smartcard must first 
produce a biometric that upon signal processing produces 
a PIN identical within said predetermined acceptance 
threshold to said PIN token data stored in said memory. 

15. The smartcard of claim 10, wherein said confi- 
dential data stored in said memory includes at least one 
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type of data selected from a group consisting of (i) 
financial account data, (ii) business record data, (iii) 
business contact data, and (iv) medical data. 

5 16. The smartcard of claim 10, wherein said smart- 

card may be used by two cardholders, and wherein said 
memory stores unique PIN token data for each of said 
cardholders . 



10 17. The smartcard of claim 16, wherein said memory 

stores confidential said data for use by each of said 
cardholders . 

18. A system for preserving security of confiden- 
15 tial data relevant to a cardholder stored in a smartcard, 

comprising : 

said smartcard including memory storing at least 4 
KByte of confidential cardholder data whose confidential- 
ity is to be preserved; 
2 0 said memory further storing PIN token data unique to 

said cardholder, said PIN token data representing a 
biometric created by said cardholder; and - 

a unit, disposed at a point of use of said smart- 
card, with which a person presenting said smartcard must 

2 5 produce said biometric that upon signal processing pro- 

duces a PIN identical within a predetermined acceptance 
threshold to said PIN token data stored in said memory 
before access to said confidential cardholder data is 
gained. 

30 

19. The system of claim 18, wherein said biometric 
includes at least one characteristic selected from a 
group consisting of (a) a genuine signature made by said 
cardholder, wherein said person presenting said smartcard 

3 5 must first write a signature that upon signal processing 

produces a signature PIN identical within said predeter- 
mined acceptance threshold to said PIN token data stored 
in said memory, (b) at least a portion of a fingerprint 
made by said cardholder, wherein said person presenting 
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said smartcard must first produce a fingerprint that upon 
signal processing produces a fingerprint PIN identical 
within said predetermined acceptance threshold to said 
PIN token data stored in said memory, (c) a voiceprint 
made by said cardholder, wherein said person presenting 
said smartcard must first enunciate at least one sound 
that upon signal processing produces a voiceprint PIN 
identical within" s'aid predetermined acceptance threshold 
to said PIN token data stored in said memory, and (d) a 
portion of a video image scanned from said cardholder, 
wherein said person presenting said smartcard must first 
be video scanned to produce an image that upon signal 
processing produces an image PIN identical within said 
predetermined acceptance threshold to said PIN token data 
stored in said memory. 

20. The system of claim 18, wherein said smartcard 
may be used by two cardholders, said memory stores unique 
PIN token data for each of said cardholders, and said 
memory further stores confidential said data for use by 
each of said cardholders . 



wo 00/00923 



PCTAJS99/14894 



1 / 4 



CO 




i 



o 
to 



8 



i 



I 

o 
S 

&4 




4SDOCID: <WO_0000923A1„I_> 



wo 00/00923 



2 / 4 



PCT/US99/14894 




JSCXXIID: <WO CX)00923A1_L> 



wo 00/00923 



3 / 4 



PCT/US99/14894 




JSDOCID: <WO 0000923A1J_> 



wo 00/00923 



4 / 4 



PCT/US99/14894 



PURPORTED CARD OWNER PROVIDES 
REAL-TIME EXEMPLAR OF BIOMETRIC 



200 (PROVIDE 
r BIOMETRIC 
AGAIN) 
-< 



PROCESS BIOMETRIC TO GENERATE 
REAL-TIME PIN TOKEN DATA 



READ PIN TOKEN DATA STORED IN SMARTCARD 



COMPARE STORED TOKEN DATA 
TO REAL-TIME PIN TOKEN DATA 




^UBSTANTIAl\YES ^ 

DISCREPANCYy * 

9 / HALT 

TRANSACTION 



210 



220 



230 



I 



READ RELEVANT STORED DATA FROM SMARTCARD MEMORY. 
PROCEED WITH TRANSACTION 



250 



FIG. 4 



4SDOCID: <WO_0000923A1J_> 



INTERNATIONAL SEARCH REPORT 



InteniatioQai ftppHcatioii No. 
PCT/US99/14894 



A. CLASSIFICATION OP SUBJECT MATTER 
IPC(6) :O06K 3/00 
US CL : 23S/3S0 

Accoidiog to Ibtpnifttiooal Patent ClusificatioD (IPC) or to both aetiociel cUeuficelioo and IPC 



FIELDS SEARCHED 



Minimum documentatioa seaiched (clauification system followed by classtficattoo symbols) 
U.S. : 23S/380, 382. 382 J, 492; 382/115. 1 17, 1 18. 1 19. 120. 124; 902/2. 3. 4. 5. 26 



Documen 



aearebed olte Ibaa mtaimttm documentation lo tbe extant tbat such documenta are included in the fields aeafcbod 



Electronic data base consulted during the intemational seaich (name of data 
Please See Extra Sbeet 



base and. where practicable, search terms used) 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 



Citation of document, with indication, where apprDpriate, of the relevant passages 



Relevant to claim No. 



us 5,578,808 A (TAYLOR) 26 November 1996 (26/11/96). see 
entire docum^t. 

US 4,827,518 A (FEUSTEL et al) 02 May 1989 (02/05/89), see 
entire document. 

US 4.837,422 A (DETHLOFF et al) 06 June 1989 (06/06/89), see 
column 1. lines 6-20, column 3, lines 32-52, column 4 lines 65-68. 
column 5, lines 1-34, column 6, lines 19-48, column 11, line's 26- 
31, column 12, lines 48-64. 

US 5,280,527 (GULLMAN et al) 18 January 1994 (18/01/94), see 
entire document, e^>ecially column 3, lines 37-55. 

US 5,150,420 A (HARAGUCHI) 22 September 1992 (22/09/92), see 
entire document. 



1-7, 10-15, 18, 19 

1, 10, 18 

8. 9, 16, 17, 20 



1-4, 7, 10. 13-15, 
18, 19 

1, 2, 10. 13, 18, 
19 



I x| Further documents are listed in the continuation of Box C. | \ See patent £amily annex. 



doouMOBt daTmiDS Ifao g«Mnl i 
to bo of I 



I of Hm art which wool ootwidarod 



•vImt doouHWt puWahod aa or afUr dw kHanotaoool fitint date 

doouBool whkh mtcf tfamr douto om pfiotitf dai»(a) or which 
oM to oatobliih tlw publioorion dOa of anodMr o^aiioti or o«fa 
qMoiol fWHoa <ao aptafmd) 

doeunaoil roforrins to aa onl dtooloaun. uao, axhibiboa or odkar 
dooypiont pid>iialwi prior to tho intanMtionol rOips doto bat 1^ 



r doeuHoat publiabod oftor Ifao mtamotaooftl (itins date or 
I and not in oonfliot wid& tbo appUoatioti but cttod to 



iflol of pwrimilar ralavaooo; Iho 
Ufod oovol or eaaoot bo oouidarad to iotvobro an invi 
Am doownant u lokan olono 

am of poftioular toJoraAoo; the etaimod iu »oaiiu u 
to involva «o i u tw Hif atop wfaon tfao 



obvioua to o poraon ikillod in tha ort 
lont naaabor of Cho aamo potmt Cnily 



Date of the actual completion of the intemational search 
14 AUOUST 1999 



Date of mailing of the intematiooal search report 



Name and ^^^^^^^^^^^^t^^ ISA/US 

Box per 

Wathingta, DC 30231 
Facsimile No. (703) 305-3230 



Authorized officer 

JARED J. FUREMAN 
Telephone No. (703) 308-1782 ^ 



/4M 



Fom PCTASAyilO (second sheetXJuly 1992)* 

JSDOCID: <WO___0000923A1_I_> 



INTERNATIONAL SEARCH REPORT 




Fom PCT/UA/210 (c 



1 ilMelXMy 1992)* 



*SCXX;tD- <WO_0000923A1_I_> 



INTERNATIONAL SEARCH REPORT 


Intonifttiooal appltcatioo No. 




PCTAJS99/14894 



B. FIELDS SEARCHED 

Electronic (Ute b«m oooaultod (Name of data base aod wheie piacticable tenns used): 



APS 

seatch tsms: IC oafd» smait cani. chip caid. memofy eaid, circuit caid, btometric. biometrics, fingerprint, signature, 
voicepriat image. thrDahold, Mige, paimmeter, tolenmce, limit limits 



Forai PCT/iaAyitO (extra sheetXluly 1992)* 

4SDCX;iD: <WO 0000923A1J_> 



A 



THIS PAGE BLAMK (usPTtij 



